asp.net中的基本表单身份验证有多安全?
[英]How secure is basic forms authentication in asp.net?
问题描述
Imagine that you have a simple site with only 2 pages: login.aspx and secret.aspx. 
想象一下,你有一个只有2个页面的简单网站:login.aspx和secret.aspx。 Your site is secured using nothing but ASP.net forms authentication and an ASP.net Login server control on login.aspx. 除了ASP.net表单身份验证和login.aspx上的ASP.net登录服务器控件之外,您的站点都是安全的。 The details are as follows: 详情如下所示:
- The site is configured to use the SqlMembershipProvider 该站点配置为使用SqlMembershipProvider
- The site denies all anonymous users 该网站拒绝所有匿名用户
- Cookies are disabled Cookie被禁用
The are obviously many things to consider regarding security but I am more interested in the zero code out of box experience that comes with the .net framework. 显然有很多事情需要考虑安全性,但我对.net框架附带的零代码开箱体验更感兴趣。
If, for the sake of this question, the only attack points are the username/password textboxes in login.aspx, can a hacker inject code that will allow them to gain access to our secret.aspx page? 如果为了这个问题,唯一的攻击点是login.aspx中的用户名/密码文本框,黑客是否可以注入允许他们访问我们的secret.aspx页面的代码?
How secure is the zero code out-of-box experience that Microsoft provides? Microsoft提供的零代码开箱即用体验有多安全?
8 个解决方案
解决方案1
14 已采纳 2008-09-25 12:53:43
You still have some variables that aren't accounted for: 您仍然有一些未考虑的变量:
- Security into the data store used by your membership provider (in this case, the Sql Server database). 对成员资格提供程序使用的数据存储的安全性(在本例中为Sql Server数据库)。
- security of other sites hosted in the same IIS 托管在同一IIS中的其他站点的安全性
- general network security of the machines involved in hosting the site, or on the same network where the site is hosted 托管站点所涉及的机器的一般网络安全性,或托管站点的同一网络
- physical security of the machines hosting the site 托管站点的计算机的物理安全性
- Are you using appropriate measures to encrypt authentication traffic? 您是否使用适当的措施来加密身份验证流量? (HTTPS/SSL) (HTTPS / SSL)
Not all of those issues are MS specific, but they're worth mentioning because any of them could easily outweigh the issue you're asking about, if not taken care of. 并非所有这些问题都是MS特定的,但它们值得一提,因为如果不加以处理,它们中的任何一个都很容易超过您所询问的问题。 But, for the purpose of your question I'll assume there aren't any problems with them. 但是,出于你的问题的目的,我会假设它们没有任何问题。
In that case, I'm pretty sure the forms authentication does what it's supposed to do. 在那种情况下,我非常确定表单身份验证能够完成它应该做的事情。 I don't think there's any currently active exploit out there. 我不认为那里有任何当前活跃的漏洞利用。
解决方案2
4 2008-09-25 12:51:36
As far as I know password will be sent as plain text (but encoded). 据我所知,密码将以纯文本形式发送(但已编码)。 So the most important thing to do is to use HTTPS protocol on login screens. 因此,最重要的是在登录屏幕上使用HTTPS协议。
The other setting seems to be secure for me. 另一个设置对我来说似乎是安全的。
解决方案3
3 2008-09-25 12:57:18
With HTTP Basic Authentication, which is what the .NET basic forms authentication is using, in order to view the secret.aspx page, the browser must send a Base64 encoded concatenation of the username and password. 使用HTTP基本身份验证(.NET基本表单身份验证正在使用),为了查看secret.aspx页面,浏览器必须发送用户名和密码的Base64编码串联。
Unless you utilize SSL, anyone who has access to scan the network between the server and the browser can read this information. 除非您使用SSL,否则任何有权在服务器和浏览器之间扫描网络的人都可以阅读此信息。 They can decode the username and password. 他们可以解码用户名和密码。 They can replay the username and password in the future to gain access to the secret.aspx page. 他们将来可以重播用户名和密码以访问secret.aspx页面。
That said, unless you use SSL, someone can also scan the whole session of someone else using secret.aspx, so in effect, they would have access to the content of the page as well. 也就是说,除非您使用SSL,否则有人也可以使用secret.aspx扫描其他人的整个会话,因此实际上,他们也可以访问该页面的内容。
解决方案4
2 2008-09-25 13:08:27
Well, try and look behind the scenes: 好吧,试着看看幕后:
Password Protection
Applications that store user names, passwords, and other authentication information in a database should never store passwords in plaintext, lest the database be stolen or compromised.
- MembershipPasswordFormat.Clear, which stores passwords and password answers in plaintext.
- MembershipPasswordFormat.Hashed (the default), which stores salted hashes generated from passwords and password answers.
- MembershipPasswordFormat.Encrypted, which stores encrypted passwords and password answers.
So the strength of your security (out of the box) will depend on which password protection format strategy you are using: 因此,您的安全性(开箱即用)将取决于您使用的密码保护格式策略:
- If you use clear text, it is obviously easier to hack into your system. 如果您使用明文,则很容易入侵您的系统。
- Using Encrypted on the other hand, security will depend on physical access to your machine (or at least, machine.config). 另一方面,使用Encrypted,安全性取决于对计算机的物理访问(或至少是machine.config)。
- Using Hashed passwords (the default) will guarantee security depending on: a) known reversals of the hashing strategy of RNGCryptoServiceProvider class and b) access to the database to compromise the randomly generated salt. 使用哈希密码(默认值)将保证安全性,具体取决于:a)RNGCryptoServiceProvider类的哈希策略的已知反转和b)访问数据库以危害随机生成的盐。
I do not know if it is possible to use some sort of rainbow table hack into the default Hash-base system. 我不知道是否可以使用某种彩虹表黑客进入默认的Hash-base系统。
For more details, check out this link: http://msdn.microsoft.com/en-us/library/aa478949.aspx 有关更多详细信息,请查看此链接: http : //msdn.microsoft.com/en-us/library/aa478949.aspx
解决方案5
1 2008-09-25 12:52:26
If configured correctly through the membership provider, you will have a adequate level of security. 如果通过成员资格提供程序正确配置,您将具有足够的安全级别。 Outside of that, access to that page might be accessible through cannonical attacks, but that has to do with your general security. 除此之外,可以通过规范攻击访问该页面,但这与您的一般安全性有关。 I gave a presentation on using the Security Enterprise Application Blocks . 我介绍了如何使用安全企业应用程序块 。 You might want to read up on those and look into that when implementing security on your site, and just be aware of common security threats. 您可能希望阅读这些内容并在实现站点安全性时进行调查,并了解常见的安全威胁。 No site will ever be 100% unhackable, given that you are on an open shared network and total security would be an unplugged server locked in a safe guarded 24/7 by the military (around DoD "A" level security, based of Orange book). 鉴于您处于开放式共享网络中,并且完全安全将是由军方全天候安全保护的安全防护服务器(基于Orange书籍的国防部“A”级安全性),任何站点都不会100%不可攻击)。 But the out of the box functionality of the Membership Providers (when configured correctly) will offer a good amount of security. 但是,成员资格提供程序的开箱即用功能(如果配置正确)将提供大量安全性。
Edit: Yeah, I agree with the other comment that was made, HTTPS on at least the log in screens is a given, if you want to protect the username/passwords from packet sniffers and network monitors. 编辑:是的,我同意其他评论,至少登录屏幕上的HTTPS是给定的,如果你想保护数据包嗅探器和网络监视器的用户名/密码。
解决方案6
0 2008-09-25 12:54:19
Asp.Net supports cookieless sessions, as this blog post shows . 正如这篇博客文章所示 ,Asp.Net支持无cookie会话。 Instead of a session cookie, it uses an identifier in the url to track users. 它使用URL中的标识符来跟踪用户,而不是会话cookie。
I am not sure how secure this is, but I would think it is a secure as the difficulty to brute force the identity string. 我不确定这是多么安全,但我认为这对于强制身份字符串的难度是安全的。
It looks like it works more or less out of the box, however when redirecting a user and wanting to maintain session state you must include the session id. 看起来它或多或少开箱即用,但是当重定向用户并希望维护会话状态时,您必须包含会话ID。 The blog post shows how to do that, as well as many other articles on the web. 博客文章展示了如何做到这一点,以及网上的许多其他文章。
解决方案7
0 2009-03-05 17:54:31
Here are two good articles from Microsoft on the subject: 以下是Microsoft关于此主题的两篇好文章:
How To: Protect Forms Authentication in ASP.NET 2.0 如何:在ASP.NET 2.0中保护表单身份验证
INFO: Help Secure Forms Authentication by Using Secure Sockets Layer (SSL) 信息:使用安全套接字层(SSL)帮助保护表单身份验证
解决方案8
0 2009-03-05 18:14:16
URL上的Cookie不够安全,它有很多不同的问题(特别是如果你有任何引用漏洞)和HTTPS的使用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.